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Abstract 

Calculi with control operators have been studied as extensions of sim- 
ple type theory. Real programming languages contain datatypes, so to 
really understand control operators, one should also include these in the 
calculus. As a first step in that direction, we introduce Xj-i^ , a combi- 
nation of Parigot's A/i-calculus and Godel's T, to extend a calculus with 
control operators with a datatype of natural numbers with a primitive 
recursor. 

We consider the problem of confluence on raw terms, and that of strong 
normalization for the well-typed terms. Observing some problems with 
extending the proofs of Baba et al. and Parigot's original confluence proof, 
we provide new, and improved, proofs of confluence (by complete devel- 
opments) and strong normalization (by reducibility and a postponement 
argument) for our system. 

We conclude with some remarks about extensions, choices, and prospects 
for an improved presentation. 

1 Introduction 

In pursuit, on the one hand, of a satisfactory equational theory of call- by- value 
A-calculus, and on the other, of a means to interpret the computational content 
of classical proofs, a variety of calculi with control operators have been pro- 
posed. Few of these systems address the problem of how to incorporate prim- 
itive datatypes in direct style, preferring instead to consider the usual Church 
encoding of datatypes or else to analyze computation over datatypes via CPS- 
translations. 

In part this appears to arise because of the technical difficulty in getting 
standard results such as confluence or strong normalization, and their proof 
methods, either for classical calculi, or for simply-typed calculi with datatypes, 
to extend to their combination. 

This paper introduces a new A-calculus with control, A/i'^, in which for ex- 
ample constructs for catch and throw may be represented, which moreover has 
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a basic datatype of natural numbers with a primitive recursor, in the style of 
Godel's T. We demonstrate that it is possible to achieve a synthesis of classical 
computation with datatypes with a conventional metatheory of typing and re- 
duction. To show how the system can be used in programming, we give a simple 
example in 13.161 where we define a function that multiplies the first n values of 
/ : N — > N and throws an exception as soon as it encounters the value 0. 

1.1 Our approach 

Since Lafont's counterexample [GTL89j . it is well known that a calculus pro- 
viding a general content to classical logic cannot be confluent. It only may 
become confluent if one adds an evaluation strategy (call-by-name or call-by- 
value). To deflne a calculus with control operators and datatypes we have 
therefore observed a tension between the call-by-name features taken directly 
from Parigot's A/i-calculus, and the need to add certain call-by-value features 
to obtain a system that is confluent and satisfies a normal form theorem (each 
closed term of type N is convertible to a numeral). The A/i '^-calculus is therefore 
a call-by-name system with strict evaluation on datatypes. To avoid losing a 
normal form theorem, we could not make it a full call-by-name system, and to 
avoid losing confluence we had to restrict the primitive recursor to only allow 
conversion when the numerical argument is a numeral. 

Given these technical considerations, we were able to prove that Xfi^ sat- 
isfies subject reduction, has a normal form theorem, is confluent and strongly 
normalizing. The last two proofs are non-trivial because various niceties are 
required to make the standard proof methods work. 

Our confluence proof uses the notion of parallel reduction and deflnes a 
complete development for each term. Surprisingly, it was difficult to find a 
confluence proof for the original untyped A/i-calculus. Baba, Hirokawa and 
Fujita ^BHFOl] have given a confluence proof for A/i without the -^-^jj-rule 
(/^a.[a]t — >■ t provided that a ^ FCV(i)). Although they suggest how to extend 
parallel reduction for the — )>^^-rule, they do not provide a formal deflnition of 
the complete development nor a proof. Nakazawa Nak03, has successfully car- 
ried out their suggestion for a call- by- value variant of A/Lt, but does not use the 
notion of complete development. Walter Py's PhD thesis fPy98) was the only 
place where we have found a complete proof of confluence for Xfj.. It uses Aczel's 
generalization of parallel reduction |Acz78] and a number of postponement ar- 
guments. In the present paper we extend the methodology of [BHFOl] to the 
case of Xfi^ , which also includes the — >-;i,;-rule. 

Our strong normalization proof proceeds by defining relations -^a and b 
such that = -^AB '■— -^A U -^b- First we prove that -^a is strongly nor- 
malizing by the reducibility method. Secondly, we prove that is strongly 
normalizing and that both reductions commute in a way that we can obtain 
strong normalization for -^ab- The first phase is inspired by Parigot's proof of 
strong normalization for the A/x-calculus jPar97) . 
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1.2 Related work 



The extension of simply typed lambda calculus with control operators and the 
observation that these operators can be typed using the rules of classical logic is 
originally due to Griffin |Gri90) and has lead to a lot of research [Par921 IPar93[ 
IdGMl IREMI IBS951 |Coq96[ [BB961 IAH031 IvBLLOS) , by considering variations on 
the control operators, the underlying calculus or the computation rules, or by 
studying concrete examples of the computational content of proofs in classical 
logic. The A/i-calculus of Parigot |Par92j has become a central starting point 
for much research in this area. 

The extension with datatypes, to make the calculus into a real programming 
language with control operators, has not received so much attention. We briefly 
summarize the research done in this direction and compare it with our work. 

Murthy has defined a system with control operators, arithmetic, products 
and sums in his PhD thesis |Mur90] . His system uses the control operators C and 
A (originally due to |Gri90| ) and the semantics of these operators is specified by 
evaluation contexts rather than local reduction rules, as we do. So his system 
does not really describe a calculus for datatypes and control. Furthermore, 
Murthy mainly considers CPS-translations to give an operational semantics of 
his system and did not prove properties like confluence or strong normalization. 

Crolard and Polonowski have considered a version of Godel's T with products 
and call/cc |CP11| . As with Murthy, the semantics is presented by CPS- 
translations instead of a direct specification via a calculus. Therefore properties 
like confluence and strong normalization are trivial because they hold for the 
target system already. 

Barthe and Uustalu have worked on CPS-translations for inductive and coin- 
ductive types |BU02] . Their work includes a system with a primitive for iteration 
over the natural numbers and the control operator A. Unfortunately only some 
properties of CPS-translations are proven. 

Rehof and S0rensen have described an extension of the AA-calculus with 
basic constants and functions }RS94] . Unfortunately their extension is quite 
limited. For example the primitive recursor nrec takes terms, rather than basic 
constants, as its arguments. Their extension does not allow this, making it 
impossible to define nrec. 

Parigot has described a second-order variant of his A/x-calculus jPar92j . This 
system is very powerful, because it includes all the well-known second-order rep- 
resentable datatypes. However, it suffers from the same weakness as System F, 
namely poor computational efficiency (for example, an 0(n)-predecessor func- 
tion). Also, as observed in |Par921 lPar93j . this system does not ensure unique 
representation of datatypes. For example, there is no one-to-one correspondence 
between natural numbers and closed normal forms of the type of Church nu- 
merals. 

There have been various investigations into concrete examples of computa- 
tional content of classical proofs. Coquand gives an overview in his notes |Coq96| . 
An earlier example is |BS95| , where a binpacking problem is analyzed using proof 
transformations. More recent work is by Makarov [Mak06) . who takes Griffin's 
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calculus and adds various rules to optimize the extracted program. 

If we look in particular at Godel's T, Berger, Buchholz and Schwichten- 
berg have described a form of program extraction from classical proofs [B BSOOj . 
Their method extracts a term from a classical proof in which all computation- 
ally irrelevant parts are removed. To prove the correctness of their approach 
they give a realizability interpretation. However, since their target language is 
Godel's T, extracted programs do not contain control mechanisms. 

Caldwell, Gent and Underwood have considered program extraction from 
classical proofs in the proof assistant NuPrI |CGU00j . In their work they extend 
NuPrI with a proof rule for Peirce's law and they associate call/cc to the ex- 
traction of Peirce's law. Now, program extraction indeed results in a program 
with control. The main focus of their work is on using program extraction to 
obtain efficient search algorithms. The authors do not prove any meta theo- 
retical results so it is unclear whether their approach is correct for arbitrary 
classical proofs. 

1.3 Outline 

The paper is organized as follows: 

• Section [5] recapitulates Godel's T, fixing notation and conventions, to- 
gether with the key normal form property. 

• Section [3] introduces A/.t'^, our Godel's T variant of Parigot's A/.t-calculus 
extended with a datatype of natural numbers with primitive recursor nrec. 
We define the basic reduction rules, whose compatible closure defines com- 
putation in Xfi^ . We show how to represent rules for a statically bound 
catch and throw mechanism. We prove subject reduction, and the ex- 
tended analogue of the normal form property. 

• In Section m we develop the corresponding CPS-translation for A/i'^, and 
show it preserves typing and conversion. 

• Section[5]contains one of our two principal technical contributions: a direct 
proof of confluence on the raw terms of A/.t'^, based on a novel analysis of 
complete developments. 

• In Section [SI our second technical contribution is to prove SN for our 
calculus, using the reducibility method and a postponement argument. 

• We close with some conclusions and indications for further work, both in 
extending our system with a richer type system, and in investigating a 
fully-fledged call-by- value version. 

2 Godel's T 

Godel's T (henceforth A'^) was introduced by Godel to prove the consistency 
of Peano Arithmetic [SU06j . It arises from A^- by addition of a base type for 
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natural numbers and a construct for primitive recursion. 

Definition 2.1. The types of X"^ are built from a basic type (the natural num- 
bers) and a function type (^) as follows. 

p, a, T ::= N | cr ^> r 

Definition 2.2. The terms of the X'^ are inductively defined over an infinite 
set of A-variables {x,y, . . .) as follows. 

t, r, s ::— a; | Aa; : p.r \ ts \ \ St \ nrecp r s t 

Here, p ranges over X'^ -types. 

As one would imagine, the terms 0, S and nrec denote zero, the successor 
function and primitive recursion over the natural numbers, respectively. We let 
FV(i) denote the set of free variables of t and we define the operation of capture 
avoiding substitution t[x :— r] oi r for x in t in the usual way. 

Convention 2.3. Although a X-abstraction and nrec construct are annotated 
by a type, we omit these type annotations when they are obvious or not relevant. 
Furthermore, we use the Barendregt convention. That is, given an expression, 
we may assume that bound variables are distinct from free variables and that all 
bound variables are distinct. 

Definition 2.4. The derivation rules for A'^ are as shown in Figure[li 



X : p eT T,x : a \- t : T T \- t : a ^ t T h s : a 

x: p T h Xx : a.t : a ^ T T h is : r 

(a) var (b) lambda (c) app 



r h Si : N r h nreCo r s t : p 

(d) zero P r- 

(e) sue /r\ 

^ ' (t) nrec 



Figure 1: The rules for typing judgments in A 
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Definition 2.5. Reduction t t' is defined as the compatible closure of the 
following rules. 

{Xx.t)r t[x := r] (^) 

nrec r s Q ^ r (0) 

nrec r s (St) s t (nrec r s t) (S) 

As usual, -» denotes the reflexive/transitive closure and = denotes the reflex- 
ive/ symmetric/transitive closure. 
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Although we do not specify a deterministic reduction strategy it is obviously 
possible to create a call- by- name and call- by- value version of A'^. Yet it is inter- 
esting to remark that in a call-by- value version of A"^ calculating the predecessor 
takes at least linear time while in a call-by-name version the predecessor can be 
calculated in constant time jCF98j . 

Fortunately, despite the additional features of A'^, the important proper- 
ties of A— subject reduction, confluence and strong normalization, are pre- 
served [gteTSllUTESQ] . 

Because it is convenient to be able to talk about a term representing an 
actual natural number we introduce the following notation. 

Notation 2.6. n ~ S"0 

Definition 2.7. Values are inductively defined as follows. 

V, w ::— I Su I Xx.r 
Theorem 2.8. Given a term t that is in normal form and such that \- t : p: 

1. If p — N, then t = n for some n E N. 

2. If p = a ^ T, then t = Xx.r for a variable x and term r. 

As the following indicates, the system A'^ has quite some expressive power. 

Definition 2.9. A function f : N" — ^ N is representable in A'^ if there is a 
term t with h t : N" — ^ N such that: 

tmi.. .nin^ /(mi, . . . ,m„) 

Theorem 2.10. The functions representable in A'^ are exactly the functions 
that are provably recursive in first-order arithmetic^ . 

Proof This is proven in f SU06] . □ 

3 The A/i^-calculus 

In this section we present our Godel's T extension of Parigot's A/i-calculus 
(henceforth Xp,'^). 

Definition 3.1. The terms and commands of Xp'^ are mutually inductively 
defined over an infinite set of A-variables {x,y, . . .) and //-variables {a,f3, . . .) 
as follows. 

t, r, s ::= x \ Xx : p.r \ ts \ pa : p.c | | Si | nrec^ r s t 
c, d ::— [a]t 

Here, p ranges over X'^ -types (Definition \2.1\) . We give [a\t lower precedence 
than sr, allowing us to write [a\sr instead of [a](sr). 

^Here we are allowed to say either Peano Arithmetic (PA) or Heyting Arithmetic (HA), 
because a function is provably recursive in PA iff it is probably recursive in HA ISU06| . 
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As usual, we let FV(i) and FCV(t) denote the set of free A-variables and 
;U-variables of t, respectively. Moreover, we define substitution t[x := r] of r for 
X in t, which is capture avoiding for both A- and /^-variables, in the obvious way. 
Similar to Convention 12. 3[ we will often omit type annotations for /i-binders. 

Notation 3.2. fi_.c := ^^.c provided that 7 ^ FCV(c). 

Definition 3.3. The typing rules for X^'^ are as shown in Figure\^ 



x:p£V r,x:<T;AI-t:T V\A^t:a-^T V;A\-s:a 

T; A h X : p T; A h Ax : cr.t : ct ^ r F; A h is : r 

(a) axiom (b) lambda (c) app 

r;Aht:N 

F:AhO:N 



F;AhSt:N 
(d) zero 

(e) sue 

F;AI-r:p F;Ahs:N^p^p F;AI-i:N 
F; A h nrecp r s t : p 

(f) nroc 

r;A,a:phc:X r;Ahi:p a:peA 



F; A h /la : p.c : p F;Ah[a]i:_lL 

(g) activate (h) passivate 

Figure 2: The rules for typing judgments in Xp? 



A typing judgment F; A h t : p is derivable in Xp^ in case it is the conclusion 
of a derivation tree that uses the rules of Definition 13.31 We say "term t has 
type p in environment of A-variables F and environment of p- variables A" . 

Similarly, a typing judgment F; A h c : _1L is derivable in Ap"^ in case it 
is the conclusion of a derivation tree that uses the rules of Definition 13.31 We 
say "command c is typable in environment of A-variables F and environment of 
p- variables A" . 

Fact 3.4. The typing judgment is closed under weakening of both environments. 
That is,ifT;A'rt:p,TC V and A C A', then F'; A' h t : p. 

In order to define the reduction rules we first define the notions of contexts 
and structural substitution. Although the reduction rules merely require con- 
texts of a restricted shape (those that are .singular) we define contexts of a 
more general shape so we can reuse these definitions in our proof of confiuence 
(Section [5]) and strong normalization (Section 16]) . 

Definition 3.5. A Ap'^-contcxt is defined as follows. 

E ::= a \ Et \ SE \ nrec r s E 
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A context is singular if it is the following shape. 



::= I SD I nrec r sD 

Definition 3.6. Given a context E and a term s, substitution of s for the hole 
in E, notation E[s], is defined as follows. 

D[s] s 
iEt)[s] -.^Elsjt 
{SE)[s] := SE[s] 
(nrec r s E)[s] :— nrec r s E[s] 

Definition 3.7. Given contexts E and F , the context EF is defined by: 

UF := F 
{Et)F := {EF)t 
{SE)F -.^ S{EF) 
(nrec r s E)F nrec r s (EE) 

Fact 3.8. E[F[t]] = EF[t] 

Using contexts we can now define structural substitution. Structural sub- 
stitution of a /i-variable /3 and a context E for a /i-variable a in t, notation 
t[a := PE], recursively replaces each command [a]q in t by [/3]£'[q'] where 
q' = q[a := PE]. Our notion of structural substitution is more general than 
Parigot's original presentation |Par92j . He defines t[l3 :— a], which renames 
each /^-variable fi int into a, and t[a := s], which replaces each command [a\q 
in t by [ajq's where q' = q[a := s]. Of course, his notions are just instances 
of our definition, namely, the former corresponds to := a □] and the latter 
to t[a :— a (□«)]• Parigot's presentation suffices for the definition of the re- 
duction rules, but our presentation allows us to prove properties like confiuence 
(Section [5]) and strong normalization (Section IH]) in a more streamlined way. 

Definition 3.9. Structural substitution t[a := f^E] of a ^-variable j3 and a 
context E for a ^-variable a is defined as follows. 



x[a 




— X 


(Xx.r) [a 


■.= I3E] 


= \x.r\a PE\ 


{ts)[a 


■.^f)E] 


= t[a f3E]s[a := /?£'] 


0[a 


■■= PE] 


= 


{St)[a 


■■= PE] 


= S{t[a := (3E]) 


(nrec r s t)[a 


■.^I3E] 


= nrec {r[a (3E]) {s[a := (3E]) {t[a := 


(M7-c)[a 


■=PE] 


= fi^.c[a j3E] 


{[a]t) [a 




= [l3]E[t[a := l3E]] 




■.^I3E] 


~ ["/]t[a :— j3E] provided that 7 7^ a 



Structural substitution is capture avoiding for both A- and ^.-variables. 
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Definition 3.10. Reduction t ^ t' is defined as the compatible closure of the 
following rules. 

{\x.t)r t[x := r] (/3) 

S{iJ.a.c) ^a.c[a := a (SD)] (^S) 

(/ia.c)s ^a.c[a := a (Os)] {l^R) 

pLa.[a\t t provided that a ^ FCV(i) (/iry) 

[q;]^/3.c -t- c[/? := a □] (/Ui) 

nrec r s — ^ r (0) 

nrec r s (Sn) — )■ s n (nrec r s n) (S) 

nrec r s {p,a.c) fj,a.c[a := a (nrec r s □)] (/iN) 

As usual, denotes the transitive closure, -» denotes the reflexive/transitive 
closure and — denotes the reflexive/ symmetric/transitive closure of^. 

Fact 3.11. As in \FH9^ . the notion of a singular context allows us to replace 
the reduction rules -^^s, -^^.r and -^^^ by the following single rule. 

E'^lfj.a.c] ^a.c[a := aE^] 

Fact 3.12. E[fia.c] fia.c[a := aE] 

From a computational point of view one sliould tliinlc of ^a.[/3]t as a com- 
bined operation tliat catches exceptions labeled a in i and throws the results of 
t to p. Following Crolard }Cro99| . we define the operators catch and throw. 

Definition 3.13. The terms catchy t and throw^g s are defined as follows. 

catcho, t := /ia.[a]t 
throw^ s := /i_.[/3]s 

Similar to commands, we give catchy t and throw^ s lower precedence than 
sr, allowing us to write catcho, sr instead of catchy (sr). 

Crolard [Cro99| moreover defines a system with catch and throw as primi- 
tives and proves a correspondence with the Ayit-calculus. We prove that the above 
simulation of catch and throw satisfies a generalization of Crolard's rules. 

Lemma 3.14. We have the following reductions for catch and throw. 

1. E[ca.tchat] c at cha E[t[a :— aE]] 

2. E[th.roVa t] -» throWo, t 

3. catchct catchy t — > catchy t[/3 := aO] 
4-. throWa throw^ t throw^ t 

5. throWct catchy t thrown t[(3 :— aD] 
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6. catchy throWa t — > catchy t 

7. catchy t ^ t provided that a ^ FCV(i) 

Proof. These reductions follow directly from the reduction rules of A/i"^, except 
for (1) and (2) where we need Fact [3111 □ 

The catch and throw as defined above give rise to a system with statically 
hound exceptions. This is different from exceptions in for example Lisp, where 
they are dynamically hound. In a system with dynamically bound exceptions, 
substitution is not capture avoiding for exception names. 

Example 3.15. Consider the following term: 

catchc S((A/ : N — 5- N . catcha / 0) (Ax : N . thrown x)). 

Here, both occurrences of catch hind different occurrences a. So after two 
^-reduction steps we obtain catchy S(catch^ throwa 0) and hence its normal 
form is 0. In systems with dynamically bound exceptions this term would reduce 
to SO because the throw would get caught hy the innermost catch. 

Example 3.16. We consider a simple X^"^ -program F that, given / : N — > N, 
computes the product of the first n values of f , that isFn = fO*...*fn for 
n G N. The interest of this program is that it uses the exception mechanism 
to stop multiplying once a zero is encountered. First we define addition and 
multiplication in the usual way in A//"^. 

(+) := Xnm . nrec m {Xxy . Sy) n 
(*) := Xnm . nrec {Xxy .m + y) n 

Now, given / : N — > N, we define the term _F : N — > N, using a 'helper function' 
H , which does a case analysis on the value of f y, as follows. 

F := Xx . catcha nrec 1 H (Sx) 

H := Xy m . nrec (throWo, 0) (Az _ . m * Sz) (/ y). 

Let / : N — > N be some term that satisfies f — 3, f 1 — and / 2 = 5. We 
show a computation of F2. 

F2—» catcha nrec IH 3 

-» catchc i? 2 (nrec 1H2) 

catchcnrec (thrown 0) (Az_. (nrec 1 H 2) * Sz) (/2) 

catchc (nrec 1H2) * 5 
-» catcha (iJ 1 (nrec I HI)) * 5 

^ catcha (nrec (thrown 0) (Az _ . (nrec 1) * Sz) (/I))* 5 

catcha throWa 0*5 

cat cha nrec {Xxy.5 + y) (thrown 0) 
-» catcha throWct 

^ 
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In order to prove that A^'^ satisfies subject reduction we have to prove 
that each reduction rule preserves typing. Because some of the reduction rules 
involve structural substitution it is convenient to prove an auxiliary result that 
structural substitution preserves typing. To express this property we introduce 
the notion of a contextual typing judgment, notation T; A \- E : a <= p, which 
expresses that F; A h i : p implies T; A \- E[t] : a. 

Definition 3.17. The derivation rules for the contextual typing judgment 
T] A \- E : a <^ p are as shown in Figure\^ 



T;Ah E:a^T^p r;Aht:a T;AhE:N4=p 
1 ; A h U : p <^ p 



r;Ah Et-.T^p T-AhSE:N^p 

(a) hole 

(b) app (c) sue 

r;Ahr:cr T; A h s : N ^ a ^ a r;Ah£':N^p 
F; A h nrec r s E : a <= p 
(d) nrec 

Figure 3: The rules for contextual typing judgments in Xp^ . 



Fact 3.18. Contextual typing judgments do indeed enjoy the intended behavior. 
That is, we have F; A h E[t] : a iff there is a type p such that T; A \- E : a p 
and T; A \- t : p. 

Fact 3.19. Typing is preserved under (structural) substitution. 

1. If T ,x : p] A^ t : T and F; A h r : p, then F; A h t[x :— r] : t . 

2. IfT; A,a : p \- t : T andT; A \- E : a <^ p, then F; A, /3 : cr h t[a := I3E] : t. 
We have corresponding results for commands. 

Proof. The first property is proven by mutual induction on the derivations of 
T,x : p; A\- t : T and F, a; : p; A h c : _1L. All cases are straightforward. The sec- 
ond property is proven by induction on the derivations ofF;A,Q!:pht:r and 
F; A, a : p h c : _IL. Most cases are straightforward, so we only treat the pas- 
sivate case. Let F; A, a : p h [a]t : _1L with T; A,a : p \- t : p. By the induction 
hypothesis we have F;A,/3 : a \- t[a :— f3E] : p. This leaves us to prove that 
F; A,;3 : a h i[a]t)[a := l3E] : _\L. Since {[a]t)[a := ^E] = [/3]E[t[a := /3E]], the 
result follows from Fact 13.181 and the induction hypothesis. □ 

Theorem 3.20. The Xp"^ -calculus satisfies subject reduction. 

Proof. We have to prove that all reduction rules preserve typing. 

1. Proving that the result holds for the ^-/j, -^o and — !>s-rule is straightfor- 
ward, so we omit that. 
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2. To prove that the result holds for the -^^r, — >ps and — j-^u-rulc it is suf- 
ficient to show that the result holds for E''[fia.c] fj,/3.c[a := /3i?*] by 
Fact 13. in Given F; A h E'^[^a.c] : t we use Fact l3.lSl to obtain a type a 
such that F; A h fxa.c : cr and F; A h : r <^ cr. 

^■'^^'^■■-^'^■■^ r;A,/?:rhc[a:=/3i?1:X 



F; A h AtQ.C : cr F; A h 



F; A h E'lfia.c] : r 

Here we have F; A, /3 : r h c[a := /SE'] : JL by Fact [XTOl 

3. For the — )>^^-rule we have the following. 

T; A, a : p \- t : p 
F; A h [a]t : _1L F; A h i : p 



F; A I- p/?.c[a := PE'] : t 



F; A t- na.[a\t : p 

Since a ^ FV(t), we have F; A h t : p by strengthening. 

4. For the — >^i-rule we have the following. 

F; A, a : p, /3 : p h c : J_ 

T;A,a: p\- pl3.c: p F; A, a : p h c[/3 := a □] : _1L 

F; A, a : p h [a]///3.c : II 

Here we have F; A, a : p h c[(3 := a D] : JL hy Fact 13.191 and the fact that 
F; A,a : p h □ : p ^ p. □ 

The — >-s-rule, in contrast to the corresponding rule of A'^ (Definition 12. 5p . 
only allows conversion when the numerical argument is a numeral. This re- 
striction ensures that primitive recursion is not performed on terms that might 
reduce to a term of the shape fj,a.c. If we omit this restriction we lose confluence. 

Example 3.21. We illustrate this by considering a variant of our system with 
the following rule instead. 

nrec r s (Si) — )> s i (nrec r s t) (S') 

Now we can reduce the term t = pQ:.[a]nrec {Xxh.2) (Sp_.[a]£) to two distinct 
normal forms: 

t = pa.[Q!]nrec (Xxh.2) (Sp_. [a]4) 

^pa.[a]nrec {Xxh.2) (p_.[q;]4) (pS) 

— >■ /ia.[a]/i_.[Q;]4 (pN) 

pa.[a]4 (pi) 

4 (prj) 
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and: 



t = /ia.[a]iirec {\xh.i) (S/x_.[a]4) 

lia.[a]{\xh.2) (a*-H4) (nrec {\xh.2) (m-H4)) (S') 

lia.[a]2 {(i) 

^ 2 {^lr|) 

Alternatively, in order to obtain a confluent system, it is possible to remove 
the — >s-rule while retaining the unrestricted — >'^s'-i'ule. However, then we can 
construct closed terms t : N that are in normal form but are not a numeral. An 
example of such a term is /iQ;.[Q!]S/i/?.[Q;]0. 

Lemma 3.22. Given a value v such that ; A \- v : p, we have: 

1. If p ^ N, then v = n. 

2. If p = a ^ T, then t = Xx.r for some variable x and term r. 

Proof. This result is proven by induction on the structure of values. □ 

Lemma 3.23. Given a term t that is in normal and such that ; A h t : p, then 
t is a value or t = pLa.[l3]v for some value v. 

Proof. By induction on the derivation ; A \- t : p. 

(var) Let ; A h a; : p with x : p G 0. Now we obtain a contradiction since 
X : p ^ 0. 

(A) Let ; A h Xx.r : a ^ t. Now we are immediately done. 

(app) Let ; A h rs : r with ; A\- r : a ^ t and ; A h s : cr. Now by the induction 
hypothesis and Lemma 13.221 we have r = Xx.r' or r = pa.[/3]v. But since 
rs should be in normal form we obtain a contradiction. 

(zero) Let ; A h : N. Now we are immediately done. 

(sue) Let ; A h St : N with ; A h t : N. Now we have t = n ot t = pa.[(3]v 
by the induction hypothesis and Lemma 13.221 In the former case we are 
immediately done, in the latter case we obtain a contradiction because the 
— S-^s-rulc can be applied. 

(nrec) Let ; A h nrec r s t : p with ; A h i : N. Now we have t = nor t = pa.[P]v 
by the induction hypothesis and Lemma r3.22l But in both cases we obtain 
a contradiction because the reduction rules — s>pOj ^'ps and can be 
applied, respectively. 

(act/pas) Let ; A h p.a.[/3]t : p with ; A,a : p \- t : t and /? : r G (A, a : p). Now 
we have that t is a value or t = p,a.[l3]v by the induction hypothesis. In 
the former case we are immediately done, in the latter case we obtain a 
contradiction because the -T-M^-rule can be applied. □ 
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Theorem 3.24. Given a term t that is in normal form and such that ; h i : M, 
then t = n for some n £ N. 

Proof. By Lemma 13.231 we obtain that t = v or t = fia.[P]v for some value v. 
In the former case we have t = nhy Lemma 13.221 In the latter case we have 
(3 = a since t is closed for /i- variables, so t = fia.[a]n by Lemma [3. 221 But now 
we obtain a contradiction because we can apply the ^-^i^-rule. □ 



4 CPS-translation of Xfi^ into 

In this section we will present a CPS-translation from A/i'^ into A"^. We will use 
this CPS-translation to prove the main result of this section: the functions that 
are representable in Xfj!^ are exactly the functions that are provably recursive 
in first-order arithmetic. 

Definition 4.1. Let denote p — >■ _L for a fixed type _L. Given a type p, the 
negative translation p° of p is mutually inductively defined with p* as follows. 



P 
W 

(a ^ t)' 



N 

a" 



Definition 4.2. Given -terms t and r, the CPS-application t*r oft and r 
is defined as follows. 

t»r -.^ \k.t{Xl.lrk) 
Definition 4.3. Given a -term t, the negative oft is defined as follows. 

t := Xk.kt 

Fact 4.4. Ifr^t:{a^T)° and T \- r : a° , then T \- t • r : t° . 

Definition 4.5. Given a X^p- -term t, then the CPS-translation t° oft into X'^ 
is inductively defined as follows. 



X" 

{Xx.t)° 
{try 
0° 

{str 

(nrecp r s t) 



Xk.xk 
Xk.k{Xx.t°) 
t°»r° 



Xk.t°{Xl.k{Sl)) 
Xk.t° {Xl.nrec r° s' I k) 
where s' := Xxp.s° •x^p 
{na.c)° :— Xka.c° 
i[a]ty := t°k^ 



Here ka is a fresh X-variable for each j^i-variahle a. 
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In the translation of nrecp r s t we see that we are required to evaluate t 
first, simply because it is the only way to obtain a numeral from t. 

Fact 4.6. IfTht-.-a, then T h t : r . 

Theorem 4.7. The translation from A/i'^ into preserves typing. That is: 

T;Aht:pinXn'^ =^ T° , A° h t° : p° in 
where T° = {x : p° \ x : p £ T} and A° = {k^ : ^p' \ a : p £ A}. 

Proof. We prove that we have T; A \- t : p and F; A h c : J_ by mutual induction 
on the derivations r°, A° \- t° : p° and T°,A° \- t° : _L, respectively. Most of 
the cases are straightforward, so we treat just one interesting case. 

(nrec) Let F; A h nreCp r s t : p with r;Ahr : p, r;Ahs :N— s>/3— s>/3 and 
T; A h t : N. Now we have r°, A° h r° : p°, r°, A° h s° : {N ^ p ^ p)° 
and r°,A° h t° : N° by the induction hypothesis. Furthermore we have 
s' = \xp.s° •x»p:}i—>p°^p° as shown below. 

a) 



(N^p^p) x:N° 

o - / V° 

s • x : [p ^ p) P '■ P 

s° •x • p : p° 

\xp.s° •x»p:}i^p°^p° 



(c) 



Here, step (a) follows from Fact 14.61 and step (b) and (c) follow from 
Factual So F°, A° h (nreCp r s t)° : p° as shown below. 

r° : p° s' : N ^ p° ^ p° ^ : N 



nrec r° s' I : p° 



nrec r s 



t° : N° ALnrec r° s' I k : 

t°(ALnrec r° s' I k) : J. 

Xk.t°{Xl. nrec r° s' I k) : p° □ 

Fact 4.8. For each n £ N we have n° — » n. 
Proof. By induction on n. 

1. Let n = 0. We have 0° ee by Definition HH 

2. Let n > 0. We have n° ^ ^hy the induction hypothesis and hence: 

n+ 1 ° = Xk.n°{Xl.k{Sl)) 

Xk.{Xq.qn){Xl.k{Sl)) 
Afc.fc(Sn) 
= n+ 1 

□ 
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Lemma 4.9. For each term t we have \k.t°k t° . 

Proof. This follows immediately from the Definition 14.51 since the translation t° 
of a term t is of the shape Xl.t' , so Xk.{Xl.t')k ~» Xk.t'[l := k] = t°. □ 

Lemma 4.10. We have Afc.nrec r° s' nk ^ nrec r° s' n for s' = Xxp.s° • x»p. 
Proof. We distinguish the following cases. 

1. Let n — 0. The result follows from Lemma l4!9l 

2. Let n > 0. Now we have the following. 

Afc.nrec r° s' n k ^ Xk.s' n — 1 (nrec r° s' n — 1 ) fc 

Afc.(s° • n — 1 • nrec r° s' n — 1 ) k 
= Afc.(Afc2.(s° "n^) {Xl.l (nrec r° s' n - 1 ) fca)) k 
Afc.(s° » 7i~T ) {Xl.l (nrec r° s' n ~ 1 ) fc) 

o T of 1 

— S 9 n — 1 • nrec r s n — 1 

= s' rt — 1 (nrec r° s' n ~ 1 ) 
= nrec r° s' n 

□ 

Lemma 4.11. The translation from Xj/^ into A'^ preserves (structural) substi- 
tution. That is: 

1. t°[x := r°] -» {t[x r])° 

2. {t[a := P U])° = t°[k^ kfs] 

3. {t[a := p (sn)])° ^ t°[k„ ;= Xl.kp{Sl)\ 
I (t{a := /3 (Ds)])" t°[fc„ := Xl.ls°ksi\ 

5. {t[a := (3 (nrec r s □)])" ^ t°[fc„ A/.nrec r° s' / kp] 
Proof. These results are proven by induction on the structure of t. □ 

Lemma 4.12. The translation from X/jT' into A"^ preserves convertibility. That 
is, if ti — t2, then ti° = t2° . 

Proof. By induction on the derivation of ti ^2 • Most of the cases are straight- 
forward, so we treat just one interesting case. 

1. Let nrec r s (Sn) — > s n (nrec r s n). Now: 

(nrec r s (Sn))° = Afc.(Sn)° (A/. nrec r° s' I fc) 

-*> Xk.Sn (ALnrec r° s' I k) (a) 

— » Afc.nrec r° s' (Sn) k 

— > Afc.s' n (nrec r° s' n) k 

-» Afc.(s° • n • nrec r° s' n) fc 

= Afc.(Afc2.(s° • n) {Xl.l (nrec r° s' n) k2)) k 
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= Xk.{s° • n) {Xl.l (nrec r° 's n) k) 



= s° • n • AA:2.nrec r° s' n k2 (b) 
= s° • n • Afe.n (A/. nrec r° s' I k2) 
= s° • n • Xk2.n° (ALnrec r° s' I k2) (c) 
= {s n (nrec r s n))° 

Here, step (a) holds by Fact I4.8[ step (b) holds by Lemma [4.101 and step 
(c) holds by Fact gH □ 

Theorem 4.13. Each function / : N" —> N that is representable in A/i'^ is 
representable in A'^. That is, if a term t with ; h t : N" ^ N represents the 
function f in Xfi^ , then there exists a term t' with h t' : N" — 5- N that represents 
the function f in . 

Proof. Suppose that t : N" N represents / : N" — >■ N in XfjT- . That means 
that /(toi, . . . , m„) = t mi . . . m„. Now define a term t' as follows. 

t' :— Xxi : N . . . Xxn : N . {t° ^xi • . . . • x^) {Xx : N . x) 

Now we have t° : (N" N)° by Theorem l47l x^ : N° by Fact [46] and therefore 
t° • xT • • • . • : N° by Fact 14.41 Hence by setting ± = N we have t' : N. Now 
it remains to prove that /(mi, . . . , m„) = t' mi . . . m^. 

t' rrii_ . . . mn = {t° • toT • . . . • m„ ) Xx.x 

= {t° • TOi ° • . . . • m„ °) Xx.x (a) 
= (t mi_ . . . mn f Xx.x 

= if {mi, . . . ,TO„))° Xx.x (b) 



= /(mi, . . . ,m„) Ax. a; (c) 
= /(mi, . . . ,m„) 

Here, step (a) holds by Fact 14.81 step (b) holds by Lemma 14.121 and step (c) 

holds by Fact \Mi □ 

Corollary 4.14. The functions representable in A/i'^ are exactly those that are 
provably recursive in first- order arithmetic. 

Proof. This result follows immediately from Theorem 12. 101 and 14.131 □ 



5 Confluence of A/i^ 

To prove confluence one typically uses the notion of parallel reduction, as in- 
troduced by Tait and Martin-L6f. Intuitively, a parallel reduction relation ^ 
allows to contract a number of redexes in a term simultaneously. Following Taka- 
hashi |Tak95| . can be defined by induction over the term structure, making 
it easy to prove that it is preserved under substitution. Then one proves that 
satisfies: 
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• The diamond property: if ti => t2 and ti ^3, then there exists a such 
that t2 =^ ^4 and ^4, in a diagram; 




t2 h 



• => C if ti => t2, then ti ^ 

• ^ C if ^ t2, then =>* ^2- 

Thus one obtains confluence of To streamhne proving the diamond property 
of one can define the complete development of a term notation t*, which is 
obtained by contracting all redexes in t. Now it suffices to prove that ti => t2 
implies ^2 ^ i 1 • Unfortunately, as observed in |Fuj97[ IBHFOlj , adopting the no- 
tion of parallel reduction in a standard way does not work for Xfj,. The resulting 
parallel reduction relation will only be weakly confluent and not confluent. 

In this section we will focus on resolving this problem for Xfi^ . For an 
extensive discussion of parallel reduction and its application to various systems 
we refer to |Tak95) . A simple-minded parallel reduction relation, obtained by 
extending Parigot's parallel reduction jPar92j to A^"^, would have the follow 
rules: 

(t6.1) If c ^ c', then ^a.c fj,a.c' . 

(t6.2) If c =^ c' and s s', then (fj,a.c)s iia.c'[a :— a (Ds')]. 

(t6.3) Uc^ c', then S(^a.c) na.c'[a := a (SO)]. 

(t6.4) li r ^ r' , s ^ s' and c ^ c', then 

nrec r s fia.c ^ fia.c'[a := a (nrec r' s' □)]. 

(t7) lit^t' and a ^ FCV(t), then fia.[a]t ^ t' . 

(el) If t =^ t\ then [a]t ^ [a]t' . 

(c2) If c =^ c', then [a]^/3.c =^ c'[/3 := aU]. 

As has been observed in |Fuj99| , Parigot's original parallel reduction relation 
is not confluent. Similarly, the parallel reduction as defined above for A/x'^ is 
not confluent. Let us (as in |BHF01) ) consider the term {iia.[a]^,'y.[a]x)y, this 
term contains both a (t6.2) and a (c2)-redex. However, after contracting the 
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(t6.2)-redex, we obtain the term ^a.[a\{pj.[a\xy)y, in which the (c2)-redex is 
blocked. 





fia.[a]{fi-f.[a\xy)y 



ina.[a]x)y 



V V 

^a-lajflj-lajxy :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::> ^a.[a]xy 

Although it is possible to prove that this relation is weakly confluent, weak 
confluence is not quite satisfactory. Of course, since Xf/^ is strongly normalizing 
(Theorem I6.34p . it would give confluence by Newman's lemma. However, an 
untyped version of Xji^ is of course not strongly normalizing, hence we do not 
obtain confluence for raw terms this way. 

Baba, Hirokawa and Fujita BHFOlj noticed that this problem could be 
repaired by allowing a to "jump over a whole context" to its corresponding 
[a]. Their version of the (c2)-rule is as follows. 

(c2) If c c' and E E', then [a]E[^j.p.c] ^ c'[/3 := aE']. 

Here E and E' are contexts and parallel reduction on contexts is defined by re- 
ducing all its components in parallel. This (c2)-rule performs "deep" structural 
substitutions and renaming in one step and thus covers and extends the original 
rules (16.1-4) a nd (c2) 

Baba et al. |BHF01| have shown that their relation ^ is confluent for A/i 
without the (t7) rule. It is not confluent if the (17) rule is included. Let us (as 
in [BHFOlj ) consider the term ^a.[a\{^(3.['y]x)yz. 



^ia.[a]{^l3.[-i]x)yz 





{t^P\l]x)yz 



V 

^a.[7]a; <::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: {^I3.['y]x)z 

In the conclusion of their work they suggest that this problem can be repaired 
by considering a series of structural substitutions (16.1-4) as one step. This ap- 
proach has been carried out successfully by Nakazawa for a call-by- value variant 
of A/z |Nak03] . However, Nakazawa did not use the notion of complete develop- 
ment. We will follow the approach suggested by Baba et al. for X^i^ and use 
the notion of complete development. 

Definition 5.1. Parallel reduction t => t' on terms is mutually inductively 
defined with parallel reduction c c' on commands and parallel reduction 
E ^ E' on contexts as follows. 
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(tl) X =^ X 

(t2) 0^0 

(t3) Ift t', then Xx.t Xx.t' . 

(t4) Ift^t' and ^ E', then E^[t] ^ E'[t']. 

(t5) Ift^t' and r r', then {Xx.t)r ^ t'[x := r']. 

(t6) If c' and E => E', then E[ij,a.c] ^ia.c'[a := aE']. 

(t7) Ift^t' and a ^ FCV(t), then /ia.[a]i t' . 

(t8) If r r' , then nrec r s r'. 

(t9) Ifr^r' and s s', f/ien nrec r s (Sn) =^ s' n (nrec r' s' n). 

(cl) //i i', i/ien [a]* => [a]^'. 

(c2) Ifc^c' and E f/ien [a]£;[/i/3.c] ^ c'[/3 := a£']. 

(El) □=>□ 

(E2) IfE^E' and t t', then Et iJ't'. 

(E3) IfE^E', then SE ^ SE'. 

(E4) If E ^ E', r ^ r' and s ^ s', then nrec r s E ^ nrec r' s' iJ'. 

Furtherm,ore, ^* denotes the transitive closure of^. 

For conciseness of presentation, we specify most of the forthcoming lemmas 
just for terms. Yet they can always be mutually stated and mutually inductively 
proven for commands and contexts. 

Lemma 5.2. Parallel reduction is reflexive. That is, t^t for all terms t. 
Proof. By induction on t. We use the rules (tl-4), (t6), (cl) and (El-4). □ 
Lemma 5.3. If E ^ E' and t ^ t', then E[t] ^ E'[t']. 

Proof. By induction on the derivation of E => E'. □ 
Lemma 5.4. If E^ is singular and E^ => E', then E' is singular. 

Proof. By a case analysis on the derivation oi ^ E' . □ 
Lemma 5.5. If t ^ t' , then FV(i') C FV(t) and FCV(t') C FCV(t). 
Proof. By induction on the derivation oit ^ t' . □ 
Lemma 5.6. Parallel reduction is preserved under (structural) substitution. 
1. Ift^ t' and s s', then t[x := s] => t'[x := s']. 
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2. Ift=> t' and E E' , then t[a /SE] ^ t'[a /?£"]. 

Proof. By induction on the derivation oi t ^ t' . We treat some cases. 

(t6) Let F[^7.c] =^ ^7.c'[7 := 7F'] with c => c' and F => F' . Now we have 
c[a := I3E] =^ c'[a := PE'] and F[a := PE] =^ F'[a := ^E'] by the 
induction hypothesis. Therefore we have the fohowing. 



In the before last step we use a substitution lemma. This is possible 
because 7 ^ FCV(i?) by the Barendregt convention and thus 7 ^ FCV(-E') 
by Lemma 15.51 

(c2) Let [a]i^[/i7.c] ^ c'^y := aF'] with c c' and F ^ F' . Now we have 
c[a := I3E] c'[a := (3E'] and F[a := (5E] := ;3£;'] by the 

induction hypothesis. Therefore we have the following. 

{[a]F[^^J.4)[a := ^E] = [l3]E{F[a := pE])[fij.c[a := ^E]] 

^ c'[a := l3E'][j := l3E'{F'[a := jSE'])] 
= c'[7 := := ;3£;'] 

EE(c'[7:=aF'])[a /3i?'] 

In the before last step we use a substitution lemma. This is possible 
because 7 ^ FCV(i?) by the Barendregt convention and thus 7 ^ FCV(i?') 
by Lemma 15.51 □ 

A crucial property of a parallel reduction is that a one step reduction is an 
instance of a parallel reduction and that a parallel reduction is an instance of a 
multi-step reduction. 

Lemma 5.7. Parallel reduction enjoys the intended behavior. That is: 

1. Ift-^ t', then t => t'. 

2. Ift^ t', then t t' . 

Proof. The first property is proven by induction on the derivation of < — > t' 
using that parallel reduction is reflexive (Lemma 15.21) . The second by induction 
on the derivation of t using an obvious substitution lemma for □ 

To define the complete development of a term t, we need to decide which 
redexes to contract. This job is non-trivial because is very strong: In one 
step it is able to move a subterm that is located very deeply in the term to the 
outside. For example, consider the command e: 



(F[M7.c])[a := m = {F[a /3E])[fij.c[a pE] 



=^ fij.c'[a /?£;'] [7 7(F'[a 
= Ai7-c'[7 := -fF'][a := f^E'] 
= {^iJ.c'[J■.= -fF'])[a■.= PE'] 



e = £'„[^a„.[a„] . . . Ei[^iai.[ai]Eo[fJ.ao.c]] . . .] 



(1) 
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where all the fiai.[ai]Ei-i are /j,77-redexes. That is, ai ^ FCV{Ej) for all 
< j < i < n and ai ^ FCV(c) for all < i < n. Intuitively one would be 
urged to contract the (t7)-redexes immediately. That yields: 

E'J...E{[E'o[fiao.c']]] 

given complete developments E^ of Et and c' of c. However, this is not the 
complete development of e. We have [ai+i]Ei[iiai.d] d for each i such that 
< i < n, hence the whole command e reduces to c'. As this example indicates, 
it is impossible to determine whether a (t7)-redex should be contracted without 
looking more deeply into the term. In order to define the complete development 
we introduce a special kind of context consisting of a series of nested (t7)- 
redexes, as in ([T]). Furthermore, we define a case distinction on terms. 

Definition 5.8. A Xfi^ ?7-context (or simply: an ?7-contextj is defined as fol- 
lows. 

iJ ::= □ I E[fia.[a]H] provided that a ^ FCV(i?) 

The operation of substitution of a term for the hole in an //-context is defined 
in the usual way. However, since these contexts contain /i-binders it is impor- 
tant that this operation is capture avoiding for /i-variables. Note also that — in 
general — an ry-context is not a context in the sense of Definition 13.51 

Lemma 5.9. Each term t is of exactly one of the following shapes. 

variable 1. x 

value 2. n 

3. Xx.s 

redex 4- {Xx.s)r 

5. nrec r s n 

6. H[r] with H and r = E[Xx.s], r = E[{)\ or r = E[x\ 

7. H[E[^iP.c]] with c EE [7]s and -f^ P, or c = [/3]s and P £ FCV(s) 

other 8. sr with s ^ c] and s ^ Xx.t 

9. nrec r s u with u ^ E[^ip.cJ\ and u ^ n 
10. Su with u ^ i?[/i/3.c] and n 

Proof. We prove that t is always of one of the given shapes by induction on 
the structure of t. Furthermore, because these shapes are non-overlapping it is 
immediate that t is always of exactly one of the given shapes. □ 

Definition 5.10. The complete development of a term t is defined (using 
the case distinction established in Lemma \5.9\) as: 

1. x" := X 
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2. rf := n 

3. {Xx.sf := Xx.s" 

4. {{Xx.syy s^[x := r"] 

5. (nrec r s 0)* 

6. (nrec r s (Sn))* n (nrec n) 

7. (ff[r])* --H^ir^] 

provided that H and r = E[Xx.s], r = E[0] or r = E[x]. 

8. {H[E[plP.c]]Y ^/3.c*[/3 := PH^E"] 

provided that c = [7)5 and 77^/?, or c = [I3]s and /3 G FCV(s). 

9. (sr)^ s^r^ 

provided that s ^ E[fi/3.c\ and s ^ Xx.t 

10. (nrec r s u)* := nrec 

provided that u ^ _B[/i/3.c] and n 

11. (Sw)* := Su* 

provided that u ^ i?[/i/3.c] and n 

with the complete development of a command c defined as: 

1. {[a]E[^i(3.c]y := c*[/? := aE''] 

2. {[a]tf := [a]e 
provided that t ^ _B[/i/3.c] 

the complete development E^ of a context E defined as: 

1. := □ 

2. {Ety := E^t" 

3. (SE)" := SE^ 

4. (nrec r s Ef nrec r" s" E" 

and the complete development of an rj-context H defined as: 

1. := □ 

2. {E[^ia.[a]H]Y := E^H" 

Towards a proof of confluence, we now want to prove the following property: 
if t => t' , then t' i*. This is proven by induction on the structure of t\ the most 
interesting cases are when t = H[r] (case[7]of Definition lS.lOp or t = H[E[ijlI3 .c!\\ 
(case [8] of Definition lS.lOp . For these cases we need some special lemmas. 
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Lemma 5.11. Let r be a term such that r — E[Xx.s], r = E[0\ or r = E[x], 
and H an rj-context. If [a\H[r] c with a ^ YQY[H[r\), then c = [a\s with 
H[r] ^ s andai FCV(s). 

Proof. By induction on the structure of H . □ 

Lemma 5.12. Let r he a term such that r = E[Xx.s], r = E[0] or r = E[x], and 
H an rj-context such that H ^D. If H[r] t and for every strict subexpression 
e of H[r] we have e e' implies e' e*, then t => H^[r^]. 

Proof. We have to consider three cases for the reduction II[r] => t. 

(t4) Let II[r] = Es[Er[nP.[(3]Hi[r]]] ^ E'^[s] with Es a singular context such 
that Es ^ E'^, and Er[ji}i.[(3]IIi[r]] ^ s. By assumption we have E'^ =^ E^ 
and s => {Er[fiP.[l3]Hi[r]])'' = E^lH^lr""]]. Therefore, by Lemma ESI we 
obtain that Ei[s] => [r*]]] = (i7[r])*. 

(t6) Let H[r] = E[nf3.[l3]Hi[r]] ^ fil3.c[f3 := i3E'] with E ^ E' and moreover 
[/3]i?i[r] c. By Lemma [5.111 we know that c = [/3]s with => s and 

/? ^ FCV(s). So we are in the situation 

H[r] = E[nl3.[l3]Hi[r]] => jip.[/3]E'[.s] 

with E ^ E' and Hi[r] ^ s. Now E' => E" and s (i/i[r])* = H^ir"] by 
assumption. Therefore jil3.[l3]E'[s] =^ E''[H^[r'']] = {H[r]y by Lemma[El] 
and rule (t7). 

(t7) Let II[r] = /i/3.[/3]iJi[r] => s with -ffi[r] ^ s. By assumption we have 
s ^ iHi[r]y = H^[r% Therefore s ^ H^[r''] = (iJ[r])*. □ 

Lemma 5.13. Let E be a context. H an rj-context, 7 a ^-variable, and let d 
be a command such that d = [/3]s with (3 ^ ^ or d = [^]s with 7 € FCV(s). 
If II[E[^,'y.d\] ^ t and for every strict subexpression e of H[E[iJL'~^.d\] we have 
e=^ e' implies el ^ e*, then t ^ jia.d^Yi ■= aH'^E'^]. 

Proof. We prove this result by simultaneously proving the following three prop- 
erties by induction on the length of H. 

1. If H[E[fi-f.d]] t, then E2[t] ^ ^a.d*[7 := aE^H^E"]. 

2. If H[E[fi-f.d]] t, then [a]E2[t] ^ d*[7 := aE^H^E'^]. 

3. If [a]H[E[ji-/.d]] =^ c, then c d^[j aH^E^]. 

The base case is where iJ = □. We only treat a number of instances for the 
step case, so let H = Ei[fi(3.[l3]IIi]. 

1. Let £'i[/i/3.[/3]iJi[£'[/i7.(i]]] => t. Analyzing the possible steps we prove 
that for every context E2 we have: 

E2[t] ^a.d*[7 := aE^ElHlE"]. 
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(t4) Let El = EsEr where Eg is a singular context and let t = E'g[s] 
with Es E'g and Er[fJ.(3 .[/3]Hi[E[fj.'y .d]]] => s. We can apply the 
induction hypothesis for property (1) to Er[nP.[(i]Hi]. Now we find 
that for every context E2 we have: 

E^iE'M ^ f^a.d^ij aE^^EtE^HtE^ 

(t6) Let El[flP.[P]Hl[E[^^'J.d]]] fip.c[(3 (3E[] with Ei ^ E[ and 
[/?]i/i[i?[^7.(i]] c. The induction hypothesis for property (3) yields 
c d*[7 := PH^E'^]. Using the substitution Lemma [5^ and the rule 
(t6), we conclude that for any context E2 we have: 

E2W.c[P - PE[]] ^ ti/3.d^[-f := I3E^E'^H^E% 

(t7) Let £^1 = □ and nl3.[/3]Hi[E[n-f.d\] ^ s with Hi[nj.d] => s. The 
induction hypothesis for property (1) applied to Hi[E[iJj.d]] tells us 
that for any context E2 we have: 

2. A similar argument to the one used for (1) also proves (2). 

3. Let [Q;]i?i[^/3.[/3]i/i[i?[^7.d]]] =^ c. Analyzing the possible steps we prove 
that we have: 

c^d^i-f := aE^H^E"]. 

(cl) Let [a]Ei[tip.[P]Hi[E[fij.d]]] => [a]s with Ei[fip.[P]Hi[E[^i'j.d]]] ^ s. 
To close this case, we have to make a finer case analysis of the pos- 
sible steps that have led to s. This is similar to what we have done 
for property (1) above. To close the case we also need the induction 
hypothesis for property (1) and property (2). 

(c2) Let [a]El[^lP.[P]Hl[E[^l-/.d]]] ^ c[/3 := aE[] with Ei ^ E[ and 
[/3]lfi[i?[/Lt7.(i]] =^> c. We apply the induction hypothesis for prop- 
erty (3) to conclude that c =4> (i*[7 := (iHlE^\. Therefore we have 
c[l3 := aE[] ^ c?^[7 := aElHlE"] by the substitution LemmaEH and 
we are done. □ 

Theorem 5.14. If ti ^ t2, then t2 => t\. 

Proof. We prove this result by mutual induction on the structure of terms, 
commands and contexts. We use the case distinction made in Lemma [5.91 We 
consider some interesting cases. 

1. Let ti = X. In this case just reduction (tl) is possible, so x ^ x'^ = x. 

2. Let tl = [\x.si)ri. In this case the following reductions are possible. 

(t4) {Xx.si)ri (Ax. 52)^2 with si => S2 and ri ^2. Now we have 
S2 s\ and r2 => ri by the induction hypothesis. Therefore we have 
(Aa;.S2)r2 ^ ((A.x..si)ri)* = s\[x := rj]. 



25 



(t5) {Xx.si)ri =^ S2[x := r2\ with s\ S2 and r\ => r2. Now we 
have Si => s\ and ti =^ by the induction hypothesis. Therefore 
S2[x :— ri] ^ ((Ax.si)ri)* = s*[x :— r^] by Lemma 15.61 

3. Let ti = Hi[ri] with Hi ^ D and ri = E[Xx.s], n = E[0] or n = E[x]. 
Suppose h^ti. Then ti H^K] = by Lemma EH 

4. Let ti = i7i[i?i[/i/3.ci]] with ci = ['y]s and 7 7^ /3, or ci = [/?]s and 
/3 G FCV(s). Suppose h ^ ti, then ^2 ^ /ia.ct[/3 := aH^E^] = t^ by 
Lemma 15.131 

5. Let ti = siri with si ^ £'[/iQ!.c] and si ^ Ax.s. In this case just reduction 
(t4) is possible, so Si7'i 52^2 with si si and ri ^ r2. Now si 

and ri ^ r* by the induction hypothesis, so siri ^ (siri)* = s^'r*. □ 

Corollary 5.15. Parallel reduction satisfies the diamond property. That is, if 
ti => ti and ti => ^3, then there exists a term t^ such that ti ^4 and ts ^4. 

Proof. Let t^ ^ t^. Now we have ti and ^3 =^ t^ by Theorem r5. 141 □ 

Theorem 5.16. Reduction on Xf/^ is confluent. That is, ifti ti andti t^, 
then there exists a term t^ such that ti t^ and t^ ^ t^. 

Proof. By Corollarv 15.151 and the fact that t ^* t' if and only if t -» t' , which 
follows immediately from Lemma 15.71 □ 

6 Strong normalization of A/i^ 

In this section we prove that the A/x '^-calculus is strongly normalizing. Unfortu- 
nately we cannot use the CPS-translation as defined in Section U to prove this 
result. Our CPS-translation merely preserves typing and convertibility whereas 
it does not preserve reduction. Defining a CPS-translation that is strictly re- 
duction preserving (each reduction step corresponds to one or more reduction 
steps under the translation) is already non-trivial for the A/i-calculus, as Ikeda 
and Nakazawa |IN06j have shown. We failed to extend their approach to A/i'^ 
due to difficulties translating the nrec construct. 

Instead we prove strong normalization by defining two reductions -^a and 
-^B such that -^ — ^AB-=^A U — >-_b- In Section [6.11 we prove, using the 
reducibility method, that -^a is strongly normalizing. In Section 16.21 we prove 
that -^B is strongly normalizing and that both reductions commute in a way 
that we can obtain strong normalization for -^ab- 

To prove strong normalization of the second order call-by- value A/z-calculus, 
Nakazawa |Nak03) characterizes reductions whose strictness is preserved by a 
modified CPS-translation. Nakazawa also uses a postponement argument, but 
the proof is very different from ours. 

Definition 6.1. Let — >^ denote the compatible closure of the reduction rules 
-^p, ^fis, -^fiR, -^0, -^s and — j-^n- Let -^b denote the compatible closure of 
the reduction rules -^firi and — >^i. 
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Definition 6.2. Given a notion of reduction -^x (c-g- or ^b), the set of 
strongly normalizing terms, notation SNjf, is inductively defined as follows. 

1. If for all terms t' with t -^x t' we have t' £ SNx, then t G SNjsf . 

Fact 6.3. If t is in -^x -normal form, then t G SNx- 

Fact 6.4. Ift G SNx and t -^x t' , then t' G SNx- 

6.1 Strong normalization of -^a 

In this subsection we prove that — ^^i-reduction is strongly normalizing using 
the reducibility method. Our proof is inspired by Parigot's proof of strong 
normalization for the A/x-calculus jPar97) . 

Since we only consider ^-^i -reduction we will omit subscripts from all nota- 
tions. Moreover, for conciseness of notation we specify most of the forthcoming 
lemmas only for terms and not for commands. 

The reducibility method is originally due to Tait pjiigTI , who proposed the 
following interpretation for ^-types. 

H := SN 
[a^rj :={i|VsGH . ts e {rj} 

This interpretation makes it possible to prove strong normalization of A— > in a 
very short and elegant way |Geu081 for example] . Instead of proving that a term 
t of type p is strongly normalizing one proves a slight generalization, namely 
i G This method also extends to A"^ [GTL89[ for example]. 

Unfortunately, for A/i it becomes more complicated. If a term of the shape 
Xx.r consumes an argument, the A-abstraction vanishes. However, if a term of 
the shape fia.c consumes an argument the /i-abstraction remains, hence it is 
not possible to predict how many arguments ^a.c will consume. To repair this 
issue Parigot has proposed a way to switch between a term that is a member 
of a certain reducibility candidate and one that is strongly normalizing when 
applied to a certain set of sequences of arguments. 

In Xj/^ a term of the shape /xa.c is not only able to consume arguments on 
its right hand side, but is also able to consume an unknown number of S's and 
nrec's. Therefore we generalize Parigot's idea to contexts so that we are able 
to switch between a term that is a member of a certain reducibility candidate 
and one that is strongly normalizing in a certain set of contexts. 

Before going into the details of the proof we state some facts. 

Fact 6.5. Ift G SN, then we have that the length of each ~^ A-reduction sequence 
starting at t is hounded. We use the notation v{t) to denote this bound. 

Proof. The result holds because — >^-reduction is finitely branching. □ 

Fact 6.6. IfteSN and t t' , then v{t') < v{t). 

Fact 6.7. A- f eduction is preserved under (structural) substitution. 
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1. Ift^ t' , then t[x := s] t'[x := s]. 

2. If s — S> s' , then t[x :— s] t[x := s']. 

3. Ift^ t', then E[t\ E[t'] and t[a PE] t'[a f3E]. 

4. If E ^ E', then E[t] E'[t] and t[a ^E] t[a := f5E']. 

We now extend the notion of strongly normalizing terms to strongly normal- 
izing contexts. Informally a context is strongly normalizing if all its sub-terms 
are strongly normalizing. 

Definition 6.8. The set of strongly normalizing contexts, notation SN^, is 
inductively defined as follows. 

1. De SN° 

2. If E e SN° and t £ SN , then Et £ SN°. 

3. If E e SN°, then SE e SN°. 

4. If E e SN°, r e SN and s £ SN, then nrec r s E £ SN°. 

Parigot's approach has another advantage; for the expansion lemmas we do 
not need to worry about the interpretation of types. We merely need the notion 
of being strongly normalizing (with respect to some context). 

Lemma 6.9. Let E be a context and r a term such that r = x, r = {Xx.r)t, 
r = nrec r s n or r = E^[fj,a.c\. If E[r] — >■ t, then we have: 

1. t = E[r'] with r r' , or, 

2. t = E'[r] with E -> E' . 

Proof. We prove the result by induction on the structure of E. We consider only 
the case E = Ft. Here we use the assumption about the shape of r to derive 
that F[r] cannot be of the shape Xx.s or fif3.c. This guarantees that F[r]t is not 
a redex, by which the result follows immediately. □ 

Lemma 6.10. If r £ SN and E[t[x := r]] £ SN, then E[{\x.t)r] £ SN. 

Proof. We use Fact l6.5l to prove this result by well-founded induction on iy{r) + 
^{Eltlx := r]]). By Definition 16.21 we have to show that for each term w with 
E[{\x.t)r] w we have w £ SN. 

1. Let w = E[t[x := r]]. Now E[t[x := r]] £ SN by assumption. 

2. Let w = E[{Xx.t')r] and t t' . Now E[t[x := r]] E[t'[x:^r]] by 
Fact 16.71 hence E[t'[x :— r]] £ SN. By the induction hypothesis we have 
E[{Xx.t')r] £ SN since iy{E[t'[x := r]]) < iy{E[t[x := r]]). 

3. Let w = E[{Xx.t)r'] and r r' . Now E[t[x := r]] -» E[t[x := r']\ by 
Fact 16.71 and therefore E[t[x := r']] £ SN. By the induction hypothesis we 
have E[{Xx.t)r'] £ SN since iy{r') < v{r). 
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4. Let w = E[{Xx.t)r] and E E' . Now E[t[x := r]] E'[t[x := r]] by 
Fact 16.71 hence E'[t[x :— r]] £ SN. By the induction hypothesis wc have 
E'[{Xx.t)r] e SN since v{E'[t[x r]]) < i^{E[t[x := r]]). 

Lemma l6.9l guarantees that we have considered ah possible shapes of w. □ 

Lemma 6.11. IfF" e SN° anrf i;[^a.c[a ai^'*]] £ SN, t/ien £;[F^[^a.c]] G SN. 

Proof. The proof is similar to the proof of Lemma 16.101 □ 

Corollary 6.12. If F e SN° and E[fia.c[a aF]] G SN, then E[F[i.ia.c\] G SN. 

Proof. By induction on the structure of F. 

1. Let F = □. We have E[fia.c] = E[fia.c[a := «□]] for each context E and 
command c, so by assumption we are done. 

2. Let = C H . By an obvious substitution lemma and assumption we have 
E[fia.c[a :— aH][a := aG"]] = E[fia.c[a := aF]] e SN. Therefore we have 
E[G''[^j,a.c[a := aH]]] e SN by Lemma ETH Hence E[G'[H[fia.c]]] G SN 
by the induction hypothesis. □ 

Lemma 6.13. For each context E we have the following. 

1. If E[r] G SN and s G SN, then £;[nrec r s 0] G SN. 

2. If E[s n (nrec r s n)] G SN, then £;[nrec r s (Sn)] G SN. 

Proof. We use Fact 16.51 and prove (1) by induction on j/(£^[r]) + v{s) and (2) 
by induction on v{E[s n (nrec r s n)]). Similar to the proof of Lemma r6.10l we 
distinguish various cases. □ 

Parigot extends the well-known functional construction of two sets of terms 
S and T {S ^ T := {t \ yu £ S . tu £ T}) to a set S of sequences of terms and 
a set T of terms as follows. 

S ^ T := {t \ \iu £ S . tu £T} 

Moreover, he defines the notion of reducibility candidates in such way that 
each reducibility candidate R can be expressed as iS — SN for a certain set of 
sequences of terms S. Therefore he is able to switch between the proposition 
t a R and the proposition tu G SN for all u G 5. We extend Parigot's notion of 
functional construction to contexts in the obvious way. 

Definition 6.14. Given a set of contexts E and a set of terms T, the functional 
construction £ ^ T is defined as follows. 

£ -.^ {t\\JE e £ . E[t] G T} 

Given two sets of terms S and T , then S ^ T is defined as follows. 

S -.^ {Du \ ue S} 
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Remark that, for sets of terms S and T, our definition of the functional 
construction 5 — > T is equivalent to the ordinary definition. 

S ^ T = {Du \ u e S} ^ T = {t \ yu e S . tu e T} 

Keeping in mind that we wish to express each reducibility candidate R as 
f SN for some £, one might try to define the collection of reducibility can- 
didates as the smallest set that contains SN and is closed under functional con- 
struction and arbitrary intersection. But then {nrec rir2n}^SN = 0isa 
valid candidate too. To avoid this we should be a bit more careful. 

Definition 6.15. We define the collection of reducibility candidates, TZ, in- 
ductively as follows. 

(sn) SN G 7^ 

(fl) //0CRC7^, thenf]IleTZ. 

(app) If S,T e 7^, then S eTZ. 

(sue) IfT E TZ, then {SD} -^T eTZ. 

(nrec) If S,T e TZ, then {nrec r s D \ r e T, s e S ^ T ^ T} ^ T e TZ. 
Lemma 6.16. For each R E TZ we have the following. 

1. i? C SN 

2. E[x\ e R for each x and E G SN°. 

Proof. We prove these results simultaneously by induction on the generation of 
R. We consider some interesting cases. 

(sn) Let R = SN. We certainly have R C SN. Also, E[x\ G SN by Lemma [Ol 

(Pi) Let i? = Pi R. By the induction hypothesis we have T C SN for each 
T G R. Therefore we have p| ^ SN, so the first property holds. 

By the induction hypothesis we also have E[x] G T for each T G R and 
E G sn'-'. Therefore we have E[x\ G R for each E G Sn'-', so the second 
property holds as well. 

(sue) Let R = {SD} — > T. To prove the first property, we suppose that t E R. 
This means that S< G T. Therefore Si G SN because T C SN by the 
induction hypothesis. Now certainly t G SN, so the first property holds. 

To prove the second property we have to show that E[x\ G R. By the 
induction hypothesis we have E[x\ G T for each E G SN^. In particular 
we have Si?[a;] G T. This means that E[x] G R, so the second property 
holds as well. 
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(nrec) Let R = {nrec rsn\reT,seS^T^T}^T. To prove the first 
property, we suppose that t € R. This means that nrec r s t G T for each 
r € T and s e 5 ^ T — >■ T. By the induction hypothesis we have an 

X eT and y e S ^ T ^ T, hence nrec x y t eT. Thus t £ SN because 
T C SN by the induction liypotliesis, so tlic first property holds. 

To prove the second property we have to show that E[x] G R. By the 
induction hypothesis we have E[x] G T for each E G SN^. In particular 
we have nrec r s E[x] G T. This means that E[x] G R, so the second 
property holds as well. □ 

As we have remarked before, we wish to express each reducibility candidate 
ii as f — > SM for some set of contexts £. Now we will make that idea precise. 

Definition 6.17. Given an R gTZ, a set of contexts R^ is inductively defined 
on the generation of R as follows. 

SN-L := {□} 



{S T)^ 
({SDj^T)^ 
({nrec r s □} -> T)^ 



|J{r-L I T G R} 

{a}U{E{au) \ uG S,E €T^} 

{a}u{E{sa) \EeT^} 

{□}U {i;(nrec r s □) | r G T,s € S ^T,E G T"^} 

Fact 6.18. For each ReTZ we have □ G i?-^. 
Lemma 6.19. For each ReTZ we have i? = i?-"- SN . 

Proof. By induction on the generation of R. We consider some interesting cases. 

(sn) Let R = SN. We have R = {□} ->■ SM, so we are done. 

(fl) Let i? = n R. By the induction hypothesis we have T = T"*- SN for 
each T G R. Therefore we have the following. 

R = f]{T I T G R} 

= f]{T^ -s- SN I T G R} 

= f]{{t I V£ G T-L . E[t] G SN} I T G R} 

= {t I VT G R, G T-L . E[t] G SN} 

= {t\yEe [j{T-^ I T G R} . E[t] G SM} 

= |J{T-^ I T G R} ^- SN 



31 



(nrec) Let R = {nrec rsa\reT,seS^T^T}^T. By the induction 
hypothesis we have T = — s> SN. Therefore we have the fohowing. 

R = {nrec rsU\reT,s^S^T^T}^T 

= {nrec r s □ | r £ T, s G 5 ^ T ^ T} ^ ^ SN 

= {i I Vr e T, s e 5 ^ T ^ T . nrec r steT^ ^ SN} 

= {t\\iE eT^,r eT,s S . £'[nrec r s t] e SN} 

= {i I t £ SN A Vi; e T^,r e T,s £ S* ^ T ^ T . i;[nrec r s t] e SN} 

= ({□} U {£;(nrec r s □) | r £ T, s £ S* ^ T ^ T, £ T^}) ^ SN 

The before last step holds because for all terms t, if i?[nrec r s t\ £ SN 
for all £ T-L, r £ T, s £ S* T -> T, then also t £ SN. This is because 
T-L, T and 5 ^ T ^ T are non-empty by Fact EH] and Lemma EHl □ 

Lemma 6.20. For each ReU we have t £ R iff E[t] £ SN for all E e R^ . 

Proof. We have t £ i? iff t £ i?^ ^ SN by Lemma WT^ and t £ i?-^ ^ SN iff 
E[t] £ SN for all E £ R^ by Definition □ 

Now, to prove strong normalization of -^a, it remains to give an interpreta- 
tion IpI £ TZ for each type p. As a first attempt, we could adapt the definition 
for A— which we have given in the introduction of this section. 

[N] := SN 
la ^ t] := |<7l ^ It] 

Unfortunately, the interpretation of N does not contain enough structure to 
prove the following properties. 

1. If t £ SN, then St £ SN. 

2. If i £ SN, r £ 5 and s £ SN ^ 5 ^ S*, then nrec r st e S. 

Here, the term t could reduce to a term of the shape fia.c and is thereby able 
to consume the surrounding S or nrec. To define an interpretation of N that 
contains more structure we introduce the following definition. 

Definition 6.21. We define the collection J\f inductively as follows. 

(sn) SN £ A/" 

(sue) If S eM, then {SD} S eAf. 

(nrec) If S e JV andT eTZ, then {nrec rsa\reT,seS~^T^T}^TeN'. 
Fact 6.22. J\f CTZ 
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Definition 6.23. The interpretation |p] of a type p is defined as follows. 

la ^ rl := {aj ^ {rj 
Fact 6.24. For each type p we have |p] G TZ. 
Lemma 6.25. For each n E N we have n e |N]. 

Proof. In order to prove tlris result we tiave to sliow tliat n e i? for all i? e AA 
and n G N. We proceed by induction on the generation of R. 

(var) Let i? = SN. Now we have to show that n G SN for all n G N. However, n 
is in normal form, so we certainly have n G SN. 

(sue) Let R = {SO} — > S. Now we have n E S for all n G N by the induction 
hypothesis. It remains to show that Sn E S for all n E N. However, 
Sn = n + 1 , so the required result follows from the induction hypothesis. 

(nrec) Let R = {nrec rsD\rET,sES^T^T}^T. Now we have 
n E S for all n G N by the induction hypothesis. It remains to show that 
nrec r s n G T for all S" G A/", T G 7^, r G T, s G ^ T ^ T and n G N. 
We proceed by induction on n. 

(a) Let n = 0. We have E[r] E SN for all £; G by Lemma [OOl and 
s G SN by Lemma [6.161 Hence i?[nrec r s 0] G SN by Lemma [6.131 
and therefore nrec r s G T by Lemma l6.20l 

(b) Let n > 0. We have nrec r s n — 1 G T by the induction hypothesis. 
Furthermore, because s G S* ^ T — > T and n — I E S, we have 
s n — 1 (nrec r s n — I ) E T, so E[s n — 1 (nrec r s n — 1 )] G SN for 
aU E ET^hy Lemma [QOl Therefore £;[nrec r s (S n - 1 )] G SN by 
Lemma l6.131 so nrec r s n G T by Lemma 16.201 □ 

Lemma 6.26. If t E |N], then St E |N]. 

Proof. Assume that t E |N]. This means, i G i? for all R E M. Now we have to 
prove that St E R for all R E Af. But for all R E Af we have {SD} ^ R E J\f, 
hence t E {SD} — !■ i? by assumption and therefore St E R. □ 

Lemma 6.27. //r G s G |N p ^ p] and t E |N], then nrec r s t Efp]. 

Proof We have |N] G TV by Definition 15^^ so if t G |N], then nrec r s t eT 
for all T G 7e, r G T and s G [N] ^ T ^ T by Definition jEHl Also {pj G 7e by 
Fact lOil and |N ^ p ^ p| = |N] ^ |p] |p] , hence nrec r stEfp]. □ 

Theorem 6.28. Let : pi, . . . , a;„ : p„; ai : cri, . . . , a„i : Um ^ t : t such that 
r.i E |pi] for all \ < i < n and Ej E for all 1 < j < m, then: 

t[xi := ri,. . . ,Xn ■= rn,ai := ai Ei,. . . ,am ■= am E,n] & |t]. 
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Proof. Abbreviate F = xi : pi, . . . ,Xn : pn, A = ai : cti, . . . , a„i : (t„i, with 
t' = t[xi := ri,...,Xn := r„,ai := ai i;!, . . . ,0™ := a,„ Em], and 
c' = c[a;i := ri, . . . , a;„ := r„, ai := ai Ei,.. .,am ■= "m ^'m]- Now by mutual 
induction we prove that T; A h t : t impUes t' G |r] and that F; A h c : I 
imphes c' £ SN. 

(var) Let T; A \- x : a with x : (t e F. Now we have x' G |(t] by assumption. 

(A) Let T; A \- Xx : a.t : a ^ T with T, x : a; A \- t : t. Moreover let u G |p] 
and -E e [tI^- Now we have t'[x := u] & |t] by the induction hypothesis 
and so E[t'[x := u]] G SN by Lemma lOOl Therefore E[{Xx.t')u] G SN by 
Lemma [6.101 and hence {Xx.t')u G |t] by Lemma [6.201 so Xx.t' G |fT ^ t] 
by Definition 16.141 

(app) Let T: A \- ts : T with T; A h t : a ^ t and F; A h s : cr. Now we have 
t' G |<T ^ t] = |(t] |tJ and s' G |cr] by the induction hypothesis, hence 
t's' G |r] by Definition EH 

(zero) Let F; A h : N. Now we have G |N] by Lemma [g?^ 

(sue) Let F; A h St ; N with F; A h t : N. Now we have t' G fN] by the induction 
hypothesis and therefore St' G |N] by Lemma [6.261 

(nrec) Let F; A h nrec r s t : p with F; A h r : p, F; A h s : N ^ p ^ p and 
F; A h t : N. Now we have r' G H, s' G |N ^ p ^ p] and f G |n1 by the 
induction hypothesis. Therefore nrec r' s' t' G \p\ by Lemma [6.271 

(act) Let T]A^ pa: p.c : p with F; A. a : p h c : _1L. Moreover let E G 

Now we have c'[a :— aE] G SN by the induction hypothesis. Hence 
pa.c'[a aE] G SN and therefore E[pa.c'] G SN by CoroUarv I6.12i 
so pa.c' G \p\ by Lemma [5.201 

(pas) Let F; A h [a]t : _1L with a : a G A and F; A h t : cr. Now we have 
t' G |cr] by the induction hypothesis. Also, we have a context Eg I"']^ 
by assumption. Therefore E[t'] G SN by Lemma [QOI and so G SN 

because [[a]t)' = [a]£;[t']. □ 

Corollary 6.29. IfV-^Aht: p, then t G SN^. 

Proof. We have Xi G for each : G F by Lemma [6. 161 and □ G [cj]''" for 
each aj : aj G A by Fact 16.181 Therefore t G |p] by Theorem 16.281 and hence 
t G SNa by Fact KM and Lemma [6T6l □ 



6.2 Strong normalization of -^ab 

In this section we prove that is strongly normalizing and that — ^yi-steps 
can be advanced. Together with strong normalization of -^a this is sufficient 
to prove strong normalization of -^ab- Proving strong normalization of -^ab 
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from and -^b is not specific to X^x^ . Krebbers^ provides a proof of this 
result based on abstract relations in the Coq proof assistant. 

Lemma 6.30. For each term t we have t G SN^. 

Proof. By performing a -^fi-q or -^^i-reduction step on t, the term t reduces 
strictly in its size and therefore — >s-reduction is strongly normalizing. □ 

Lemma 6.31. A single -^A-i^eduction step can be advanced. That means, if 
ti -^B t2 ts, then there is a ti such that the following diagram commutes. 




Proof. We prove this lemma by distinguishing cases on ii — s-s t2 and t2 -^a t^, 
we treat some interesting cases. 

1. Let {Xx.t)r -^b {\x.t)r' -^a \x.t[x := r'] with r -¥b r' . Now by an 
obvious substitution lemma we have t[x r] -»ab t[x :— r'], hence the 
following diagram commutes. 



{Xx.t)r ■ 



[Xx.ty 



t\x 



AB 



■t\x 



2. Let E''[^la.[a]^ip.c] -^b E'[iia.c[P := a □]] -^a mAP ■= " := "-£^1 
Now the following diagram commutes by an obvious substitution lemma. 



E'^ [fia.[a\^f5.c\ 



IJ,a.[a]E''[fil3.c[a := aE'^] 



E'lua.ci/S := a □]] 




A B 

[ia.\o\iiP>.c\a := aE''][P := f^E"] □ 

Corollary 6.32. A single A-Tcduction step after multiple -^B-f^duction steps 
can he advanced. That means, if ti -»b t2 -^a ts, then there is a t^ .such that 
the following diagram commutes. 




^The Coq proof is available at |http : //robbertkrebbers .nl/misc/sn, commute ■ {v,html}| 
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Proof. The result holds by repeatedly applying Lemma 16.311 starting from right 
to left as the diagram indicates. 




■tr. 



AB 



AB 



A ■-. A 



AB 



□ 



Lemma 6.33. If t e SN^, then t £ SN^b. 



Proof. We prove this result by induction on the derivation of i £ SM^, so by 
the induction hypothesis we obtain that for each term t' with t -^a t' we have 
t' £ SN^B. By Lemma l6.30l we have t G SN^, hence it suffices to prove that for all 
reduction sequences t ^2 -^A ts we have 6 SN^s- Now by Corollary [OH 
we obtain a ti such that the following diagram commutes. 



t ■ 



■t2 



^ AB 

By the induction hypothesis we have t4 G SN^^. Therefore, since -^ab ^3, 
we have ^3 G 5^ab by Fact 16. 4[ so we are done. □ 

Theorem 6.34. If t is well-typed, then t G SN^is. 

Proof. This result follows directly from Theorem 16.331 and Corollarv 16.291 □ 



7 Conclusions and further work 

In this paper we have introduced the A/i "^-calculus, an extension of Parigot's A/i- 
calculus to include a type of natural numbers N with primitive recursion nrec, 
a la Godel's T. We have proven the main meta-theoretical properties and have 
shown that exactly the provably recursive functions in first-order arithmetic can 
be represented. 

In order to maintain confluence and a normal form theorem the A/i "^-calculus 
is not a straightforward combination of the A/x-calculus and Godel's T. Both 
these systems are originally call-by-name, whereas XfjT- is a call-by-name system 
with strict evaluation on datatypes. 

In our treatment of the reduction rules in A/i"^, we have observed a tension 
between the call- by- name features taken directly from Parigot's original calcu- 
lus, and the need to restrict the rules for the datatypes to be call-by-value. We 
plan to investigate a fully-hedged call-by-value version of A/i"^ (see for exam- 
ple |OS971[Fy98| for definitions of a call- by- value variant of A/i). We expect that, 
apart from our proof of strong normalization, most of our results will extend 
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to such a system. For a proof of strong normalization we will likely experience 
problems related to those discussed in |DN05| . The key issue is our Lemma lB.lOi 
which states that if r G SN and E[t[x := r\] G SN, then E[{Xx.t)r] G SN. In a call- 
by-value variant the reduction rule v{^a.c) — >■ iJ,a.c[a := a (vO)] will complicate 
this because (Xx.t)r is not solely a /3-redex anymore. 

Instead of the A/x-calculus it would be interesting to consider a system with 
the control operators catch and throw as primitive (see Figure |4] for the typing 
rules) . Such a system is described by Crolard .CroQQj , who proves a correspon- 
dence with A/i. Herbelin |HerlO| also considers a variant of such a system to 
define an intuitionistic logic that proves a variant of Markov's principle. 

T;A,a:p\-t:p F; A h t : p a : p e A 
F; A h catcho, t : p F; A h thrown t : r 

(a) catch (b) throw 

Figure 4: The typing rules for the primitives catch and throw. 

The further reaching goal would be to define a dependently typed A-calculus 
with datatypes and control operators that allows program extraction from clas- 
sical proofs. In such a calculus one can write specifications of programs, which 
can then be proven using classical logic. The extraction mechanism would then 
extract a program from such a proof, where the classical reasoning steps are ex- 
tracted to control operators. This would yield programs- with-control that are 
correct by construction because they are extracted from a proof of the specifi- 
cation. This would extend the well-known extraction method for constructive 
proofs, see |PM89) for example, to classical proofs. 

This goal is particularly useful to obtain provably correct algorithms where 
the use of control operators would really pay off (for example if a lot of back- 
tracking is involved). See (CGUOO) for applications to classical search algo- 
rithms. The work of Makarov |Mak06] may also be useful here, as it gives ways 
to optimize program extraction to make it feasible for practical programming. 

Acknowledgments We are grateful to the anonymous referees who spotted 
some mistakes in earlier versions of this paper and provided several helpful 
suggestions. 
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